Update

.github/workflows/deploy-infra.yml

@@ -224,29 +224,3 @@ jobs:
         ARM_USE_OIDC: true
         LOCK: ${{ steps.lock_arg.outputs.val }}
       working-directory: ${{ env.tf_actions_working_dir }}
-
-  hack:
-    name: Hack for Application chatgpt-lite
-    runs-on: ubuntu-latest
-    environment: production
-
-    steps:
-    - uses: actions/checkout@v3
-
-    - name: Log in to Azure using OIDC
-      uses: azure/login@v1
-      with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-    - name: Get Service Account Issuers
-      run: |
-        echo "SERVICE_ACCOUNT_ISSUER=$(az aks show --resource-group rg-devdaysasia2023 --name aks-devdaysasia2023 --query oidcIssuerProfile.issuerUrl -otsv)" >> $GITHUB_ENV"
-
-        - name: Create credential.json
-        run: echo '{"issuer": "'"${SERVICE_ACCOUNT_ISSUER:-NULL}"'"}' > credential.json
-
-    - name: Update Service Principle
-      run: |
-        az ad app federated-credential update --id ${{ secrets.AZURE_CLIENT_ID }} --federation-provider-id ${{ secrets.FEDERATION_PROVIDER_ID }} --parameters credential.json

.github/workflows/hack.yml

@@ -0,0 +1,55 @@
+name: Hack for Application
+
+# on:[push]
+on:
+  workflow_dispatch:
+    inputs:
+      name:
+        description: "Who to greet"
+        default: "World"
+
+  pull_request:
+    paths:
+    - infra/**
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  hack-chatgpt-lite:
+    name: Hack for Application chatgpt-lite
+    runs-on: ubuntu-latest
+    environment: production
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Log in to Azure using OIDC
+      uses: azure/login@v1
+      with:
+        client-id: ${{ secrets.AOAI_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        audience: api://AzureADTokenExchange
+
+    - name: Get Service Account Issuers
+      run: |
+        echo "SERVICE_ACCOUNT_ISSUER=$(az aks show --resource-group rg-devdaysasia2023 --name aks-devdaysasia2023 --query oidcIssuerProfile.issuerUrl -otsv)" >> $GITHUB_ENV
+
+    - name: Create credential.json
+      uses: jsdaniell/create-json@v1.2.2
+      with:
+        name: credential.json
+        json: ${{ secrets.CREDENTIAL_JSON }}
+
+    - name: Update credential.json
+      uses: jossef/action-set-json-field@v2.1
+      with:
+        file: credential.json
+        field: issuer
+        value: ${{ env.SERVICE_ACCOUNT_ISSUER }}
+
+    - name: Update Service Principle
+      run: |
+        az ad app federated-credential update --id ${{ secrets.AZURE_CLIENT_ID }} --federation-credential-id ${{ secrets.FEDERATION_PROVIDER_ID }} --parameters credential.json

README.md

@@ -17,7 +17,7 @@
     - [x] Enable Azure Service Mesh
   - [x] Surrounding Services
     - [x] Azure Log Analytics Workspace
-    - [x] Azure Monitor managed service for Prometheus
+    - [ ] Azure Monitor managed service for Prometheus
     - [x] Azure Managed Grafana
     - [x] Azure OpenAI (AOAI): The service should be provisioned by manual, and get the API key
     - [x] Workload Identiy with OIDC

infra/aks.tf

@@ -115,8 +115,19 @@ resource "azurerm_kubernetes_cluster" "aks" {
     msi_auth_for_monitoring_enabled = true
   }
 
+  monitor_metrics {
+    annotations_allowed = null
+    labels_allowed      = null
+  }
+
   depends_on = [azurerm_log_analytics_workspace.law-logging]
 
+  lifecycle {
+    ignore_changes = [
+      default_node_pool[0].node_count
+    ]
+  }
+
 }
 
 resource "azurerm_kubernetes_cluster_node_pool" "nodepool-spot" {
@@ -145,4 +156,12 @@ resource "azurerm_kubernetes_cluster_node_pool" "nodepool-spot" {
 
   vnet_subnet_id = azurerm_subnet.subnet-aks-spot.id
 
+  depends_on = [azurerm_kubernetes_cluster.aks, azurerm_subnet.subnet-aks-spot]
+
+  lifecycle {
+    ignore_changes = [
+      node_count
+    ]
+  }
+
 }

infra/monitor.tf

@@ -29,3 +29,68 @@ resource "azurerm_dashboard_grafana" "grafana-aks" {
 
   depends_on = [azurerm_monitor_workspace.amw-aks]
 }
+
+# https://github.com/Azure/prometheus-collector/blob/main/AddonTerraformTemplate/main.tf
+resource "azurerm_monitor_data_collection_endpoint" "dce" {
+  name                = "dce-MSProm-aks"
+  resource_group_name = var.lab-rg
+  location            = var.lab-location
+  kind                = "Linux"
+
+  depends_on = [azurerm_resource_group.resource-group]
+}
+
+resource "azurerm_monitor_data_collection_rule" "dcr" {
+  name                        = "dcr-MSProm-aks"
+  resource_group_name         = var.lab-rg
+  location                    = var.lab-location
+  data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.dce.id
+  kind                        = "Linux"
+
+  destinations {
+    monitor_account {
+      monitor_account_id = azurerm_monitor_workspace.amw-aks.id
+      name               = "MonitoringAccount-aks"
+    }
+  }
+
+  data_flow {
+    streams      = ["Microsoft-PrometheusMetrics"]
+    destinations = ["MonitoringAccount-aks"]
+  }
+
+
+  data_sources {
+    prometheus_forwarder {
+      streams = ["Microsoft-PrometheusMetrics"]
+      name    = "PrometheusDataSource"
+    }
+  }
+
+  description = "DCR for Azure Monitor Metrics Profile (Managed Prometheus)"
+  depends_on = [
+    azurerm_monitor_data_collection_endpoint.dce
+  ]
+}
+
+resource "azurerm_monitor_data_collection_rule_association" "dcra" {
+  name                    = "dcra-MSProm-aks"
+  target_resource_id      = azurerm_kubernetes_cluster.aks.id
+  data_collection_rule_id = azurerm_monitor_data_collection_rule.dcr.id
+  description             = "Association of data collection rule. Deleting this association will break the data collection for this AKS Cluster."
+  depends_on = [
+    azurerm_monitor_data_collection_rule.dcr
+  ]
+}
+
+# resource "azurerm_role_assignment" "amw-datareaderrole" {
+#   scope = azurerm_monitor_workspace.amw-aks.id
+
+#   # https://www.azadvertizer.net/azrolesadvertizer/b0d8363b-8ddd-447d-831f-62ca05bff136.html
+#   role_definition_id = "/subscriptions/${split("/", azurerm_monitor_workspace.amw-aks.id)[2]}/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136"
+#   principal_id       = azurerm_dashboard_grafana.grafana-aks.identity[0].principal_id
+#   depends_on = [
+#     azurerm_monitor_workspace.amw-aks,
+#     azurerm_dashboard_grafana.grafana-aks
+#   ]
+# }